Cybersecurity and Innovation in the Information Economy – Segment 7


[ Music ]>>Howard Schmidt has had a
long and distinguished career in defense, intelligence, law
enforcement, privacy, academia, and international relations
that span more than 40 years. He served with the Air Force,
police departments, the FBI, and the White House on the
government side, Microsoft and eBay and industry, and has
headed the Information Security Forum, and has served
on advisory boards such as the Department
of Commerce and Information Security
and Privacy advisory board, the permanent stakeholders group for the European Network
Information Security Agency, and a high level experts group for the International
Telecommunications Union. Mr. Schmidt is currently special
assistant to the President and is the cyber
security coordinator for the federal government. In this role, Mr.
Schmidt is responsible for coordinating interagency
cyber security policy development and implementations
and for coordinating engagements with federal, state,
local, international, and private sector
cyber security programs. Howard. [ Applause ]>>Schmidt: Thank you very much
for that kind introduction and, once again, thanks
for the invitation to this very important
event and special thanks to Secretary Locke in the Commerce’s
Internet policy task force in putting this together. Secretary Locke was
at an event I held at the White House last week,
and it was not only great to see him as my former
governor, but it was also great for him to participate
in the event and really show the
leadership that Department of Commerce is putting
together in this effort as well as their contribution in the
overall efforts that we’re doing in helping the commercial
sector face some of the cyber security
threats that we see today. You know, as we, many of
you are very much aware of our cyber security
policy in the U.S., it’s devoted significant
attention to the issues of looking at the systemic
risk across the infrastructure, and I see Ken Watts
and a few others in the audience have been
doing this for a long time and recognize back when we
used to talk about the owners and operators of critical
infrastructure, the 85%, and looking at the
numbers of mix and match between government systems
and private sector systems, we recognize that there is a
tremendous, tremendous risk in the critical infrastructure,
which just as importantly, and one of the things I
am really appreciative of the Commerce taking the
lead on is looking at the rest of the sectors, looking at
the commercial entities here and looking at the business
world as we look at. When we look at some of
the things we’ve done, for those of you who that
haven’t heard in the past week or so, some of the things
that we’ve been talking about that the government
has done, for example, the release of the
national strategy for trusted identities
in cyberspace. We released that last month
which is out of character. It’s not a, you know, requirement to release
these sort of things, but it was important to us
to make sure that we did hear from the private sector on a
whole myriad of things relative to trusted identities. But the key issues looking to have something
that’s a voluntary basis. There’s privacy enhancing
that basically people get to feel more secure in
their transactions online, but not limited to government. Looking at private sector to
sort of put things together, they give people the choices
they want to have, form factor, the type of sort of
solutions they want to use to protect their own
privacy, how they control it, and making sure we’re not
in an environment where sort of the government is a
solution for identities, and getting the feedback from
people has been wonderful. Relatively short time
frame, but we’re trying to push these things
out and do them in a rather quick
manner rather than go through the traditional take
6 months to develop a plan, then out of that, we’re going
to develop another plan. The other thing is the national
cyber security instant response plan which is being
developed by the Department of Homeland Security, once
again, a collective effort in putting things together,
bringing this to a point where during the
Cyberstorm III event coming up this fall we’ll be
able to actually put this into play working with
the private sector and across the government. The other thing that
we’ve been doing from the government perspective
is issues around FISMA, the Federal Information
Security Management Act, and this has been a big
issue for many of us, particularly those that have
to implement this moving away from the environment where
to become FISMA compliant, you don’t necessarily
have to be secure. I’ve used this comment
many, many times. I think this is another
good form to reiterate it, that the idea is if
you become secure, you become FISMA compliant. And so changing the
way we look at this, changing the way we look at
metrics, changing the way that we wind up doing continuous
monitoring is really key to our ability for
the government systems to be more secure, but
also look collectively. But these efforts are, and
continue to be, a foundation in what our cyber, what our
overall cyber security strategy is, particularly, and someone
raised this to me this morning which really was surprising, we’re actually entering
the second decade of the twenty-first
century, and it seems just like yesterday we were worrying
about Y2K and here we are, you know, ten years
into this issue. So when we look at this, we
recognize some of the things that we’ve done to get us
here are not sufficient, and I’ve got a distinguished
panel coming on after I get finished that’ll
talk about some of those issues. But as the President said
in his speech last year that this is one of the
most serious economic and national security
challenges we face as a nation, and that our economic prosperity in the twenty-first century
depends on cyber security in cyberspace, which
is one of the things when the President
created my position, making sure I was dual hatted,
to widen the field of view so we’re looking just beyond
the national security interests, but also looking at things that enhance our security
and our prosperity. And today’s symposium, of course
you’re aware, this is going to take us to another level. Also with the Department of
Commerce’s release of the notice of inquiry that these
are significant steps in meeting the President’s
mandate. So sometimes, believe it or not,
I’ve actually had people say, well why should we care? And I think there’s a real case where [inaudible] again this
symposium here identifies how critical cyber security is in
our economic competitiveness. Some of the stats that I got
which I found even unbelievable as long as I’ve been doing
this, the Internet now serves as a platform for 10 trillion in
online transactions and expended to surpass 24 trillion
in 10 years. Last year even with the
economy overall was struggling, experiencing what many of
you refer to as a downturn in total retail sales,
online retail grew by 2% to almost $135 billion. I mean, that says an awful lot. The other thing is that
businesses of every size and type across our
nation really depend on the communication information
networks that we, many of us, have learned from an
entertainment perspective, from a government perspective,
but clearly this is much broader than that, that basically even
some simple business things, like running their travel,
running their payroll systems, basically just through day
to day operations depend on the Internet and
the very technologies that the Internet gives us on a
day to day basis, but with that, I think there is still a lot
of work that needs to be done in recognizing that with these
great strides in technology, there are vulnerabilities that
many people don’t anticipate. I know in my most recent life,
I was sitting down with a bunch of VC’s, and talking about
business plans and some of the things that small
businesses were looking to do. They had great business plans. They talked about the things
they were going to sell, the things they were
going to make, the innovations they
were going to do, whether it was mobile
platform or it was a look at enterprise platform. But rarely did I find anybody
saying about, you know, how we’re going to be able
to protect this technology, what are we doing to do to make
sure that we have cyber security in our startup business plan. As one of the things when
I look at some of the work that Commerce and the Internet
policy task force is doing to make sure that that
conversation takes place in everything that
everyone’s doing. But when we start looking across
the bigger structure and we go into the issue about critical
infrastructure [inaudible] other businesses, there were an
estimated 29.6 million small businesses in the United
States in 2008 according to the Small Business
Administration. The National Cyber Security
Alliance did a survey of 1500 small businesses last
year and found out about 65% of them store some
sort of customer data on their local systems. Oftentimes those
systems are multiuse. They use them to do
their personal email, their business use [inaudible]
stored on the same system, and connected in the Internet. Significant percentage of these
companies also store credit card information, financial
records, their actual property, personal emails, and everything
else, yet only 53% of them that were surveyed checked
their systems to ensure that operating systems,
firewalls, antivirus, anti spy ware, anti
whatever the bad things out there might be
are even up to date. You know, that data point
unto itself is interesting, but the one that really
worries me is the fact that 11% of them say they
never check it at all. So when you start
looking at the things that small businesses need to
do in the economic world today, we really need to look
at some of these things. The other parts of the survey
were interesting that only 20%, 28% of U.S. small businesses
have formal Internet security policies although 35% of them
say they do have training for employees on how
to protect themselves from Internet security issues. Fifty six percent
of them believe that cyber security is the
cost of doing business, and 21% believe it’s
just a nice thing to do. Twenty five percent of the businesses do not
ensure password protection for their wireless networks. You know, this is an interesting
take because, as going back to the early days of war
driving for wireless connections and many of you may
remember some of those days, it was not uncommon to a,
find a very small amount of wireless connections
and most of them open, and now what I’m seeing, and
particularly since I’m living in the downtown areas as I go
around with my mobile device and look for wireless
connections and see list after list of systems that are
locked out which is a good way of doing business
and particularly in the high density population
areas down where I live at. It’s seen even in the
condominium complexes that people are locking
those down, so we are making a difference,
and I want to make sure that while 25% of the businesses
do not ensure they have it, there’s a lot of people that 75% that just a few years back
would have been much smaller than that. So when we look at some of
the strides that we made in this area, we’re
looking at some of the things the
government’s done, we recognize that the threats
are growing as well. Semantic report in April type
of mass distribution intrusion such as fishing exploits, spam,
Trojans [assumed spelling], are typically now targeting
individuals, and if you think of the evolution of this, this
used to be attack on companies and universities
and governments, and now it’s directing more
towards the individuals. There’s actually sort of
this underground business of crimeware where
we’ve actually seen some of the things, and for those
of you that research this, you’ve seen them as well, that are actually
competing against each other. Buy my crimeware, you know. We do tech support 24/7. You know, we have an ability
to support our crimeware. That’s how prolific
this has become today. So there’s that competition
between them, which basically really
is telling that how profitable
this is for them. And when you start looking at
the advanced for system threats, or the ATP as we call them
in the government a lot, against large enterprises,
those are becoming more common as cyber criminals are
looking to economic espionage and exploit intellectual
property, financial data, and
customer data. You know, it’s all
about the data. That’s what they’re after now. But we also remember that it’s
because of the insecure systems out there, don’t just put the
businesses themselves at risk, they put all of us at risk. We start looking at some
of the major data breaches. While some of us may do good
security in our day to day world because our data’s somewhere
else, we have to make sure that they’re paying as
much attention to it and as serious about
it as we are. But we can do better in helping
to protect American businesses and reduce the risk
that we have out there with some basic safeguards that would help enhance
our economic security and competitiveness
by reducing some of the systemic vulnerabilities
that we have. So whose responsibility,
and, of course, we talk about this all the time, and it’s a shared
responsibility, and probably more sensitive than I think we’ve ever
have recognized in the past. When the President gave a
speech last year, he said, “We will collaborate
with industry and find technology solutions
that ensure our security and promote prosperity.” That’s one of the things
that we’re looking to do with the event and the work
that Commerce is doing on this. We have to continue to
find ways to work together. I think most of us are
probably looking for a new way to discuss public
private partnerships. You know, back in the mid-90’s when they became very popular
term, we had it defined as well, private sector would
get together and sort of organize amongst
themselves, looking for ways to share information on
threats, vulnerabilities, and best practices,
and hopefully give some of that information
to the government. But we’ve come a
long way since then. We have to redefine
what it really means and actually make sure we’re
doing things that are going to be not only helping
the government do its job, but also help private
sector to be more productive and more economic and reduce
the economic challenges that we have today. So some of the ways we need to
do that, which is why events like this are important and the
Secretary’s commitment in this as well as Secretary
Napolitano by the way in the event we had last week. We need to raise awareness
amongst business leaders to make sure that
they understand that the cyber vulnerabilities in their enterprises can be
integrated into business risks. It’s got to be part
of the matrix. It’s got to be the
things they’re talking about at the board level and the
executive day to day management. Looking to promote extensive
and comprehensive changes within their business model to make sure they’re
looking after these things. That would go a long way
to help us improving our security overall. We also have to look
at the metrics and what are the incentives. There’s a lot of discussion
as how can we get them to say when they’re trying to
drive forward business needs and technology development, how
we can say, “We’re not going to throttle you down
with security, we’re going to enhance it,” and
build this into some metrics that says by doing this better, here’s how your business
improves as well. We also must look at the area
in the research and development, and there’s been a
lot of discussions from the government side
recently about what are we doing in a private, in the R&D
environment, looking at doing that consistent with the
needs of private sector, so my sort of, you know,
advertisement, if you would, is a lot of these
things if you go to whitehouse.gov/cybersecurity,
you’ll be able to find a lot of these things that
I’ve talked about so far in my comments today, but also
get some more links to some of the things the Department
of Homeland Security are doing and the Department of
Commerce, the R&D world from all [inaudible]
technology policy and looking how all these
things are coming together to make [inaudible] changes. So in my closing comments, and I know we’re running
a little bit late, just sort of remind us that we
are indeed diverse communities across the government
in a private sector, but together we can
bring those resources to actually make some
[inaudible] changes and to look at our collective authorities to
identify threats, put the word out about what those
threats are, how to remediate those threats,
and make sure, and as important as anything, that we’re
developing the next generation of technologies that
basically are going to take into account the
threats that we’ve seen and work this way
collaboratively. Now I look forward to hearing
about the panel coming after me, but as the President
said last year, “The nation that
invented the Internet, that launched the
information revolution, and transformed the world, what we did in the twentieth
century will lead once more into the twenty first century. Working together, we can become
more secure, more prosperous, and we can do our part to
secure our part of cyberspace.” So, thank you, once
again, for the opportunity to come here and address you. Thank you. [Applause]

Danny Hutson

Leave a Reply

Your email address will not be published. Required fields are marked *